Assurance mapping

September 2021

Open Tuition’s Ken Garrett looks at assurance mapping, a new addition to the SBL syllabus Added to the ACCA SBL syllabus from September 2021 is the topic of assurance mapping and the ‘four lines of defence’, so this might be a useful time to quickly review syllabus area D2, Managing monitoring and mitigating risk.


All business ventures incur risk – failed developments, bad debts, accidents and so on. Ultimately, many of the risks are borne by shareholders and it is essential that businesses assess the level of risks that shareholders are willing to shoulder and to monitor and control the risks in line with shareholder expectations.


The amount of risk that shareholders are prepared to accept for expected returns is their risk appetite. This depends on each shareholders’ attitude to risk and their risk capacity: how much risk they prepared to bear. For example, in absolute terms, a rich investor will be able to endure the risk of losing more money than a poor investor.


To accurately match shareholders’ risk appetite businesses must identify, assess and respond to risks. All identified risks should be entered into the risk register and control is maintained from then on. Assessment of the risk will normally use both the probability of the risk occurring and its impact if the event did occur. Trivial, unlikely events can be ignored; major likely ones might be better avoided. TARA is often used to label the four cells of the probability-impact matrix:


• Transfer (e.g. by insurance or subcontracting risky activities).
• Avoid (abandon that activity).
• Reduce (treat or mitigate either the probability or its impact eg by training, protocols, protective equipment).
• Accept (live with it as it is).


The assessment of the risks will be noted on the risk register together with the appropriate responses. A named person should be made responsible and a date for action established. This will be signed off when the appropriate actions have been taken. All risks, other than those falling within the ‘Accept’ cell, require a response or responses and assurance mapping identifies four possible lines of defence where each risk can be dealt with. Relatively small risks might make use of only one of these lines (which could, of course, be breached); the most serious risks might make use of several concurrent lines of defence so that it is unlikely that all are breached at the same time.


The four lines of defence are:

For example, many companies will be operating in environments where the consequences of money laundering are extremely severe, both financially and reputationally. All four lines of defence could be used:


Management: board declarations that this is not tolerated and mention in the ethics manual that money laundering is absolutely forbidden and will lead to instant dismissal. Rewards for employees who identify and report potential breaches.


Internal procedures: training to enable employees to identify high-risk, suspect activities. Strict procedures for the receipt and disbursal of cash to identify sources and destinations.
Internal audit: careful verification of all receipts and payments from and to foreign bank accounts (most money laundering involves foreign bank accounts as these are often harder to verify).


External: legal and accounting experts involved in training and procedures; a ‘hot-line’ that staff can use if concerned about a transaction. The importance of each line of defence can be shown on an assurance map or table. For example, in terms of SBL, obvious risks arise when deciding to open in a new country or to develop a new product. An appropriate assurance map might be:

The darker the shading the more important the line of defence. The thinking is (and this is only for the sake of illustration: you might disagree with where the defences should be based):


Expansion abroad: major investment probably needed so the board needs to look at this carefully. Internal procedures should have assessed market size, consumer taste and competitors. External experts might assess legal problems, economic forecasts, currency volatility.


New product: less board involvement, but lots of feasibility work should have been done by the marketing, design and production departments. Internal audit might become involved to independently review the forecasts.


• Ken Garrett is a top tutor for Open Tuition